[consulting] RE : security of CHANGELOG.txt

Sam Tresler sam at treslerdesigns.com
Tue Sep 29 14:55:23 UTC 2009


In general, I would think that if they know enough to look at your  
changelog, they know enough to just test for the security exploit in  
question.   i.e. "those who know to look" probably do know how to look.

-Sam

On Sep 29, 2009, at 2:22 AM, fgm wrote:

> If you don't keep core up to date, it can be seen as such, but of  
> course the vulnerabilityis not the CHANGELOG per se, but the fact  
> that you are not upgrading.
>
> It's basically complaining about the symptom without caring for the  
> disease.
> ________________________________________
> De : consulting-bounces at drupal.org [consulting-bounces at drupal.org]  
> de la part de Matt Chapman [Matt at NinjitsuWeb.com]
> Date d'envoi : lundi 28 septembre 2009 22:21
> À : A list for Drupal consultants and Drupal service/hosting providers
> Objet : [consulting] security of CHANGELOG.txt
>
> Do others consider it a security risk to leave CHANGELOG.txt web
> accessible; i.e., broadcasting what version of Drupal you're running,
> for those who know to look?
>
> -Matt
>
>
>
> _______________________________________________
> consulting mailing list
> consulting at drupal.org
> http://lists.drupal.org/mailman/listinfo/consulting
> _______________________________________________
> consulting mailing list
> consulting at drupal.org
> http://lists.drupal.org/mailman/listinfo/consulting



More information about the consulting mailing list